Krebs on Security

In-depth security news and investigation

Rootkit May Be Culprit in Recent Windows Crashes

There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.

Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.

Barnes said he traced the problem on each machine back to “atapi.sys” — a Windows storage driver(which lives in %System32\drivers\). When he sent the atapi.sys files that were on the customer machines up for a scan at Virustotal.com, the results suggested malware had injected itself into the system file.

That Virustotal scan pointed at a stealthy rootkit that goes by several different names, including “TDSS” and “Pakes”. For its part, Microsoft’s Security Essentials anti-virus tool detects the invader as Win32/Alureon.A.

Interestingly, Alureon is among the Top 10 threats that Microsoft’s various security technologies — including its “malicious software removal tool” — regularly detect on Windows systems. According Microsoft’s own Security Intelligence Report, Microsoft’s security products removed nearly 2 million instances of Alureon from Windows systems in the first half of 2009 alone, up from a half million in the latter half of 2008.

Barnes said “atapi.sys” makes an attractive target for a rootkit because it is a core Windows component that gets started up early as Windows is first loading. “It’s started up every early in the boot process, and because of that it makes these kinds of threats sometimes very hard to detect and remove,” Barnes said in an telephone interview with krebsonsecurity.com.

Replacing the compromised atapi.sys file with a clean, known-good version will get affected systems booting normally again, Barnes said. He has instructions for doing just that at his blog. You’ll need to have a copy of the Windows installation disc handy.

I’d urge anyone who has already recovered from a BSoD or infinite reboot loop after installing this week’s patches to scan their systems with several different security tools, as the rootkit buried in atapi.sys is likely just there to hide the presence of a larger, more systemic malware infection. Restoring from a known-good backup would be ideal, however most home users sadly do not have backup images to rely upon.

ESET, F-Secure, BitDefender, and several other AV vendors offer free online scanners that can remove malware. In addition, F-Secure offers a free Blacklight tool that does a great job scanning for and removing rootkits. In addition, McAfee‘s free Stinger tool can scan and remove many threats.

This entry was posted on Friday, February 12th, 2010 at 3:36 pm and is filed under Latest Warnings, Time to Patch.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

I understand that principle and use a live-CD every time I don’t trust a system for 100%. But where to find a live cd that knows enough about the latest Windows malware? So I can use it to be sure my system is save.

It’s probably a good idea too to change all your passwords for online stuff, especially sensitive ones. Of course, do it from a known clean and secure system. With a rootkit or nasty malware of this nature, who knows what information has been lifted off the infected system!

The rootkit in question is not really part of the TDSS family but may be the work of the same author.

It is referred to as TDL3 and is updating rapidly and spreading via an unpatched vulnerability in the Windows printer spool service. The current version is v3.241 and the dropper packages and payload vary enough to slip past even the better AV packages.

It is primarily spread via the same routes as fake antimalware and is often not removed as it’s quite difficult to detect unless you specifically look for it.

The main symptom users report is redirection of Google and other searches to non-related sites.

This rootkit can be removed without an OS reinstall by a competent repair technician using specialist tools or one of a few tools which will detect and remove it.

I usually check for this family of rootkits by searching Google for “free avg download.” An uninfested machine will find free.avg.com as one of the top results, and will successfully navigate to it. A machine with this rootkit family will redirect to various sites.

They have done so at least once in the past, and I think they didn’t see any personal benefit from continuing. It could potentially hurt the company financially since it encourages piracy of their OS.

They sometimes even restrict legitimate licensees from patching when license keys get leaked. I once traveled to Canada with a licensed copy and when I tried to patch, it gave me an error that I must do so from my home state. Thankfully they reissued the keys and now I can update from anywhere.

” Q:Do security updates require validation?
A: Security updates are not part of WGA or OGA. You can install security updates using the Windows Automatic Updates feature or download them from the Download Center. “

Eh?
“A linux-based system is more dangerous in the hands of someone who doesn’t know how to secure it than any Windows variant any day”.

I’m retired now but that flies in the face of everything I experienced in a dozen years of running a department with over a thousand machines of all types.

Best counterexample would be my student daughters whose cheap-as-chips Asus EeePCs came with Linux. Both their Windows desktops suffered malware repeatedly. The Linux – whether the original Xandros or the replacement, Ubuntu – never once.

Ever notice how all the malware targets Windows? There’s a reason. The Windows security policy is flawed, and has always been flawed. Switching to a computer running OSX, GNU/Linux, BSD, or Solaris will stop malware attacks cold.

Of course if you like malware, stick with Windows. That’s your choice.

i totally agree with the comments that Terry Cole & The Mad Hatter posted.
i got my first PC in 1998 with Win98 on it & in the three years i used windows, i saw nothing but a constant barrage of viruses. it was a good thing that i kept my antivirus updated, however, constantly watching out for malware got tiresome. i started experimenting with GNU/Linux in 2000. at that time, Microsoft was hyping up Windows XP as being the most secure operating system that they released to date. it was not even two weeks after it’s release that there were serious security patches released followed by a service pack. in 2001, i decided to dump windows completely & i have been using GNU/Linux exclusively since. i have never had any malware exploits or intrusions in any of my Linux installations.

i also would like to mention that Microsoft is still hyping it’s latest releases as being the most secure. i call that a oxymoron.

Microsoft just does not get the concept of security…ether by design or incompetence, their products should be shunned & ridiculed until they get their act together.

“i have never had any malware exploits or intrusions in any of my Linux installations.”

That doesn’t prove Linux is any more secure. Because I can say the same thing about all my Windows installations since 1995. Tell me how is that possible if Windows is so fatally flawed and Microsoft just doesn’t get security? Seriously?

maybe my one post does not provide proof, however, i can testify that in the last 10 years of using GNU/Linux on the web (without running Anti-Virus, Anti-Spyware software), that i was able to surf the web & not pick up rootkits or viruses or malware at all, period. you will most likely get the same testament from other Linux users.

the Linux kernel is secure because it was designed to be secure. however, Microsoft Windows did not consider security a priority until after the internet concept got popular. it was after that, when Microsoft “bolted on” security to legacy code.

“Tell me how is that possible if Windows is so fatally flawed and Microsoft just doesn’t get security? Seriously?”

like i said in the above statement, however, Microsoft’s insistence on using dangerous technology like Active-X & adding propriatory extentions to standards compliant protocols while not heeding advice from the industry regarding safe coding practices just adds more problems.

as i stated in another post, this article is about a critical system file that got changed by a trojen that was downloaded by a remote exploit.

this kind of crap does not happen in Linux desktop installations unless they were intentionally improperly installed & / or the owner had SSH installed & enabled with no password & had a weak root password or running as root.
Linux does not have Active-X, or a scripting host that has root access.
all of the system files in Linux are protected because they use unix style permissions & users cannot change or modify them.

if microsoft would have just used Unix style file permissions & did away with Active-X in Win-XP, these security problems would have virtually vanished

Granted, *nix OS’s are configured more secure out of the box. But, it’s not difficult to properly secure a Windows system that equals or surpasses that config using defense in depth techniques.

As to these “dangerous” technologies, how is it I’ve used them since 1995 and haven’t been compromised in any way? It’s not so much about the technology, but about how you configure and use it! It’s about risk management.

I really have no qualms with any non-Microsoft OS or whether someone wishes to use them. I just don’t agree with the mentality that Windows or various other Microsoft products are inherently insecure or dangerous. So, I don’t subscribe to denigrating them and touting alternatives as any real solution to the general public. To do so is just disingenuous.

Don’t conflate Internet Explorer with the Windows operating system. The people here who have been using Windows without incident probably never use IE. It’s an abomination.

Some websites require IE, and some of them are sites that business users have no choice but to interact with. MS is under pressure to continue the current insecure default configuration of IE in order to avoid “breaking” those websites. I wish someone at MS would grow a pair and tell those websites that ActiveX will no longer be enabled by default, give them a decent interval to rewrite their websites, then do what they know they need to do to make the default configuration of IE more secure for naive users.

The Mad Hatter mumbled: “Ever notice how all the malware targets Windows? There’s a reason.”

Could that reason be that the *vast majority* of computers have Windows installed ? Well, duh.

Security by obscurity only goes so far. When, not if, the use of Macs reaches 10% of installed platforms, then the criminals will target them, too. Mac Users are going to be easily Socially Engineered as Apple has convinced them that their OS is Secure.

As far as the use of Linux goes …
Linux will never be an option for most Users since the ‘nix ‘community’ is composed of self-righteous, intolerant, anti-social zealots.
” Welcome to Linux, now go RTFM you ‘tard ”

Just because a server is running a less common operating system like *nix doesn’t make it immune. Although there are more Windows machines, the Unix ones are desirable because they tend to be larger servers. And as mentioned, the owners have been told they don’t need to worry about getting infected by trojans.

You can see one of their websites right now at benurgymfoa.com, hosting its images on several hijacked servers. Here’s one:http://132.206.141.3:8080/images/mcp/logo.jpg
That’s a hijacked server running Linux at McGill University. (That server is only located in Canada by coincidence; the criminals running the sites actually have nothing to do with Canada, nor with St. Louis, MO, the home of the person whose identity was stolen for the domain registration.)
There’s alsohttp://69.169.164.46:8080/images/mcp/logo.jpg
which is a heating and cooling company in Utah running Linux.
There are also servers in China, Phillipines, Venezuela, and Turkey being used for the same website and which are probably also hijacked, though it’s harder to know for sure in those cases.

As far as the use of Linux goes …
Linux will never be an option for most Users since the ‘nix ‘community’ is composed of self-righteous, intolerant, anti-social zealots.
” Welcome to Linux, now go RTFM you ‘tard ”

Never once in 16 years having run and administered various distros have I ever come across or displayed that attitude. Time to reintroduce yourself to your myopic, gullible man pages.

” Never once in 16 years having run and administered various distros have I ever come across or displayed that attitude. Time to reintroduce yourself to your myopic, gullible man pages. ”

Really ? Then perhaps you need to read the comments posted to this article. They are exactly the kind of comments that are posted from “Linux zealots” that are generated by *any* article that discusses Windows:

I won’t bother calling you any names as that appears to be a specialty of the ‘nixers and WinNutz.
BTW, I do run Portable Ubuntu on Windows 7 but I’m not a name calling, intolerant OS zealot. I just look like one.

While I really don’t care what OS someone chooses to use. It should be noted that the desktop wars are over. Linux remains a niche OS. Windows still dominates the computer ecosystem with 90+% of the market.

Although there were calls years ago that Linux was going to give Windows a run for its money in the near future, Linux has fallen off the face of the map from a usage perspective. While there are probably more people using Linux on the PC desktop today than ever before, Linux simply hasn’t kept up with overall PC industry growth. While Mac OS X has crept up. Linux, at best, is flat.

Spoken like a true Microsoft evangelist.
are you being paid from Wagner-Edstrom for shilling for microsoft under their “perception management” program, or are you a microsoft employee.
enquiring minds want to know.

all i can say is that because of you stating them false facts, just like all of the other microsoft shills, all over the net, is the dead giveaway that you are, in fact, one of them. they all post the same thing word by word.

I used vipre, and it found the rootkit file, and successfully deleted it.

I was visiting my parents this weekend. They had the BSOD since tuesday on their XP machine. I changed the atapi file, through repair. I was then able to boot, and ran vipre full system scan, it found it in the last few minutes of the scan.

@alphacentauri
“Just because a server is running a less common operating system like *nix doesn’t make it immune. Although there are more Windows machines, the Unix ones are desirable because they tend to be larger servers. And as mentioned, the owners have been told they don’t need to worry about getting infected by trojans”

in the first place, the unix server was not comprised by a remote exploit, in most cases, it was because of the administers incompetence by having SSH enabled with weak or no passwords, thus making it easy for someone to take control of the “root” account on the server & installing the malware.
otherwise, the server was still working & doing it’s job & did not crash or go down.

this Article however, is discussing how a critical system file has been changed by malware in windows just by a trojan that most likely was picked up by IE just by landing on a webpage that had the exploit.
this IS considered a remote exploit.
the users that was affected by this issue had no idea that this trojan existed on their PC. apparently, their antivirus did not work or even notify the owner/user that there was a system file compremise.

another thing to point out is that
desktop Linux & Linux servers are two different things. if i go to a website that would infect a windows PC, in Linux, not having WINE installed, nothing happens.
also, *Most* Linux users are security minded & we don’t run as root on the internet.